How to Create a Dental Business Continuity Plan, AKA “Emergency Mode Operation Plan”
No one wants to think about data breaches, natural disasters, or human error that could shut down your dental practice, but part of being a business owner is making sure you have an emergency action plan that will allow you to address the problem and restore operations quickly and efficiently.
All you have to do is watch the news to see how hurricanes, wildfires, and flooding are impacting both cities and rural communities. Internet crime is another threat. The FBI’s Internet Crime Complaint Center (IC3) received 880,418 complaints in 2023, with losses exceeding $12.5 billion. The dental industry is not immune. Change Healthcare confirmed in February 2024 that BlackCat/ALPHAV was behind the cyberattack that disrupted claim submissions and other revenue cycle management functions for dental practices, medical practices, hospitals, and pharmacies across the country.
“Ransomware Events Have Skyrocketed”
Planet DDS hosted a webinar in July 2023 with Jeremy Baker, Special Agent in Charge, FBI; Gary Salman, CEO of Black Talon Security, LLC; Joel Olivio, Chief Information / Information Security Officer of Dental Care Alliance; and Angelina Hendricks, Chief Technology Officer of Planet DDS.
Mr. Salman said ransomware events in dentistry have skyrocketed, with the firm now getting multiple calls every week. The problems include:
- Confidential data breached, including protected health information
- Financial data accessed
- Bank accounts compromised
- Wire fraud occurred
- Business email compromised
- Servers disabled / employees locked out
- Business and patient data cannot be accessed by dentists and employees
How do Cyber Criminals Hack into Dental Computers?
Often, security breaches occur because of outdated technology or employee error.
Some of the most common ways cyber criminals can hack into your company’s database include:
- Employee opens a phishing email and clicks on a malware link
- Employees share account logins
- Employees do not choose strong, unique passwords
- The dental practice has not implemented updated security patches on its computers and phones
- The team improperly configured firewall protections
- The computers don’t have malware detection software installed
- Various computers use different types of antivirus software and there is no consistency
- Team members lack proper training on how to spot fake emails, text messages, and links
Cyber Attack Recovery Costs Typically $500,000 and Higher
The cost of recovery is substantial. A small dental group with 12 practices may end up paying over $500,000 to stop the data leak and repair their records – and that figure does not include the cost of lost business during the time the company was shut down.
- Practices close an average of 10 – 14 business days, according to Black Talon Security
- Ransomware payments typically exceed $1 million
Data also shows that once attackers are paid out, they will often return with another ransomware attack because they already know that the organization has weak control and environment, along with the precedence of paying the ransom.
What is a Data Protection Impact Assessment for Dental Practices
Data Protection Impact Assessments (DPIAs) identify, analyze, and minimize risks related to the processing of data. They are designed to reduce the risk of data exposure and the harm a data breach could cause.
Create an Emergency Action Plan for Dental Practices Before You Need It
The Emergency Action Plan must be in writing and posted in the workplace where employees can view it or have access to it.
The Emergency Action Plan should include:
- Procedures for reporting a fire or another emergency
- Procedures for evacuating employees and taking roll call to account for everyone
- Location of equipment for fire protection, communications, power, personal protective gear, first aid, and triage supplies
- Defining employees involved in critical operations and their role in the emergency
- Listing the name and job title of every employee who may be contacted for information
Employees should be trained on the emergency action plan, sign an acknowledgment form, and participate in mock exercises. Think back to when you were in school and had mock fire drills; this is the grown-up version of that.
Develop Your Business Continuity Plan
After the initial emergency has been addressed and everyone is physically safe, employees need to execute their business continuity plan to restore normal operations as quickly as possible.
A Business Continuity Plan, according to the American Dental Association, should include:
- The company’s plans and policies, including insurance policies, facility security protocols, finance and purchasing procedures, employee policies, and risk management plans.
- A list of equipment needed to resume operations
- A list of vendors’ contact information
- A list of personnel needed to resume operations and their contact information
- A backup system for critical functions, such as a cloud-based medical records, payroll, communications, patient services, phone systems, and computer systems
More resources can be found in the ADA Guidelines for Practice Success, in the module on Managing Professional Risks.
Defining Your Business Interruption Recovery Strategies
First, gather the information that your team, vendors, and third parties such as law enforcement officials and security firms such as Black Talon Security will need to start their investigation:
- Date and time the incident was discovered
- The names and contact information of anyone involved with the discovery and the response
- What was accessed and/or viewed improperly
- Submit a ticket to Denticon with Urgent Priority
Top Tips and Tools for Denticon Business Continuity
Planet DDS is dedicated to ensuring our system is running and available when you need it. However, if you experience a short-term internet disruption and need to continue treating patients, you can use an alternative internet connection available to you to access backup.denticon.com. This site will contain copies of Routing Slip and Appointment Detail reports as of midnight of the prior day. Depending on when your internet connection disruption occurred, this may provide enough information to allow you to continue treating scheduled patients.
To learn more about how Denticon can help your practice or dental group, schedule a demo here.